Fix Version/s: Exasol 7.1.2
Exasol 7.1 introduced support for OpenID connect.
Microsoft Azure AD requires special handling of the standard OpenID connect flow.
Exasol 7.1.2 introduces a new database parameter -oidcRefreshTokenGrantScope which allows configuring the scope Exasol is requesting from the OpenID Connect authorization server when exchanging an OpenID Connect refresh token for an OpenID Connect access token during a database connection login procedure.
When a user opens a new database connection with Exasol and provides an OpenID Connect refresh token for authentication, Exasol will perform the OpenID Connect Refresh Token Flow (or OAuth 2.0 Refresh Token Grant) in order to obtain an OpenID Connect access token. As part of the Refresh Token Flow the OpenID Connect agent (in this case Exasol) may request a subset of the scopes associated with the OpenID Connect refresh token to be included in the OpenID Connect access token to be issued. The OAuth 2.0 standard specifies this parameter to be optional. Previous Exasol releases did request the scope "offline_access" because this scope assumed to be always available to enable the refresh of OpenID Connect refresh token, i.e. exchanging a used refresh token for a new one. There are however OpenID Connect authorization server implementations that require at least one scope of the OpenID Connect application to be requested to return an OpenID Connect access token for the application's audience. This scenario is now supported using the -oidcRefreshTokenGrantScope database parameter.
This database parameter establishes compatibility with Microsoft Azure AD as an OpenID Connect authorization server.
|Command line parameter||Description|
|-oidcRefreshTokenGrantScope||OpenID scopes to be requested during Refresh Token Exchange (optional, default: offline_access)|